The good news is the number of individuals impacted by a data breach in 2023 dropped 16% compared to the previous year. The awful news is the number of data compromises is up 78%, a new all-time percentage increase high.
The analysis comes from Identity Theft Resource Center's (ITRC) 2023 Data Breach Report, released last week (PDF). Behind the seemingly contradictory data points is a trend where hackers have shifted focus to specific types of data and identity-related fraud versus massive attacks.
According to ITRC, in 2023 there were 3,205 publicly reported data compromises that impacted an estimated 353,027,892 individuals, representing a 78% increase in events over the previous year. The number of victims impacted represents a 16 percentage point reduction from 2022.
"Each year we are asked 'why the increase in events?' and 'what can be done to protect against a data breach?' wrote Eva Velasquez, CEO of ITRC. "There’s never any one reason why compromises go up or down just as there are no actions that are 100 percent effective in stopping breaches or the identity crimes."
Maybe to blame
She said several underlying factors have contributed to the yearly uptick in reported breach events and hampered efforts to thwart them. Velasquez attributes the impact of a growing number of supply chain attacks. “A single supply chain attack can directly or indirectly impact hundreds or thousands of businesses that rely on the same vendor,” she writes.
She is also critical of the 20-year-old legislative and regulatory systems aimed to alert consumers to breaches. Velasquez calls those systems “broken.”
“Stronger reporting requirements can help warn other vulnerable businesses of the risk associated with a similar attack,” she said. “Businesses under or non-report breaches. We need to bring a level of uniformity to the breach notice process to help protect both consumers and business.”
She also added, increased due diligence when it comes to vendors and data protection are also in order.
2023 Data Breach Report insights
Healthcare, financial services and transportation were the top three industries reporting more than double the number of compromises from 2022, while healthcare had the most reported breaches.
An estimated 37 million T-Mobile customers were affected by a data breach in 2023, while breaches to Xfinity (about 36 million) and PeopleConnect (20 million) rounded out the top three companies.
Cyberattacks led the way for a fifth year for attack vectors with 2,365 reported events, while phishing-related (438) and ransomware attacks (246) were down slightly, according to ITRC's own survey data.
Also noted in the report was the number of data breach notices without specific information nearly doubling year-over-year. In 2023, more than 1,400 public breach notices did not contain information about an attack vector compared with 716 in 2022.
Solutions for 2024 and beyond
Driving breaches in 2024 will be more sophisticated phishing attacks and other types of identity fraud driven by the abuse of generative AI platforms. Improved phishing lures and highly-effective AI-driven social engineering attacks will drive business losses in the year ahead.
"Nation state threat actors will drive new levels of identity crimes in 2024, especially impersonation and synthetic identity fraud," the report stated.
In its report ITRC suggests several pro-active steps to reduce the impact data breaches have on individuals and business victims. Those include:
- Uniform Breach Notice Law
- Pairing Digital Credentials & Facial Comparison Systems (not facial recognition)
- Improve Vendor Due Diligence
- Breach Alerts for Business (commercial service offered by ITRC)
